Active Directory Domain Security Technical Implementation Guide (STIG)
U_Active_Directory_Domain_V2R6_STIG_Manual-xccdf.xml
This STIG provides focused security requirements for the AD or Active Directory Domain Services (AD DS) element for Windows Servers operating systems. These requirements apply to the domain and can typically be reviewed once per AD domain. The separate Active Directory Forest STIG contains forest level requirements. Systems must also be reviewed using the applicable Windows STIG. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
Details
Version / Release: V2R6
Published: 2014-12-18
Updated At: 2018-09-23 01:25:47
Download
Filter
Findings
| Severity | Open | Not Reviewed | Not Applicable | Not a Finding |
|---|---|---|---|---|
| Overall | 0 | 0 | 0 | 0 |
| Low | 0 | 0 | 0 | 0 |
| Medium | 0 | 0 | 0 | 0 |
| High | 0 | 0 | 0 | 0 |
Drop CKL or SCAP (XCCDF) results here.
| Vuln | Rule | Version | CCI | Severity | Title | Description | Status | Finding Details | Comments |
|---|---|---|---|---|---|---|---|---|---|
| SV-9018r3_rule | AD.0260 | CCI-000366 | LOW | User accounts with delegated authority must be removed from Windows built-in administrative groups or remove the delegated authority from the accounts. | In AD it is possible to delegate account and other AD object ownership and administration tasks. (This is commonly done for help desk or other user support staff.) This is done to avoid the need to assign users to Windows groups with more widely ranging privileges. If a user with delegated authority to user accounts in a specific OU is also a member of the Administrators group, that user has the ability to reconfigure a wide range of domain security settings and change user accounts outside of the OU to which s/he is a delegated authority. A lack of specific baseline documentation of accounts with delegated privileges makes it impossible to determine if the configured privileges are consistent with the intended security policy.Information Assurance ManagerECLP-1, ECPA-1 | ||||
| SV-30991r3_rule | DS00.1140_AD | CCI-002418 | MEDIUM | A VPN must be used to protect directory network traffic for directory service implementation spanning enclave boundaries. | The normal operation of AD requires the use of IP network ports and protocols to support queries, replication, user authentication, and resource authorization services. At a minimum, LDAP or LDAPS is usually required for communication with every domain controller. DoD Ports, Protocols, and Services Management (PPSM) policy restricts the use of LDAP, LDAPS, and many of the AD-related protocols across enclave boundaries because vulnerabilities exist in the protocols or service implementations. To comply with the restrictions and address the vulnerabilities, a VPN implementation may be used. If AD data traverses enclave network boundaries using a vulnerable protocol or service without the protection provided by a VPN, that data might be subject to tampering or interception. Further Policy Details: Implement a VPN or other network protection solution in accordance with the Network Infrastructure STIG that protects AD data in transit across DoD enclave boundaries. VPN requirements will include registering the VPN and connection points with the PPSM. Current guidance is available in the Network Infrastructure STIG and from the PPSM.Information Assurance OfficerInformation Assurance ManagerDCPP-1 | ||||
| SV-30994r3_rule | DS00.4140_AD | CCI-000067 | MEDIUM | If a VPN is used in the AD implementation, the traffic must be inspected by the network Intrusion detection system (IDS). | To provide data confidentiality, a VPN is configured to encrypt the data being transported. While this protects the data, some implementations do not allow that data to be processed through an intrusion detection system (IDS) that could detect data from a compromised system or malicious client. Further policy details:Replace the VPN solution or reconfigure it so that directory data is processed by a network or host-based intrusion detection system (IDS). Information Assurance OfficerEBVC-1 | ||||
| SV-30996r2_rule | DS00.6140_AD | CCI-000366 | MEDIUM | When the domain supports a MAC I or II domain, the directory service must be supported by multiple directory servers. | In AD architecture, multiple domain controllers provide availability through redundancy. If an AD domain or servers within it are designated as MAC I or II and the domain is supported by only a single domain controller, an outage of that machine can prevent users from accessing resources on servers in that domain and in other AD domains.Information Assurance OfficerCOTR-1 | ||||
| SV-30995r3_rule | DS00.6120_AD | CCI-000366 | LOW | AD implementation information must be added to the sites disaster recovery plans, including AD forest, tree, and domain structure. | When an incident occurs that requires multiple AD domain controllers to be rebuilt, it is critical to understand the AD hierarchy and replication flow so that the correct recovery sequence and configuration values can be selected. Without appropriate AD forest, tree and domain structural documentation, it may be impossible or very time consuming to reconstruct the original configuration.Information Assurance OfficerCODP-1, CODP-2, CODP-3, COEF-1, COEF-2 | ||||
| SV-31214r2_rule | DS00.7100_AD | CCI-000366 | LOW | The impact of INFOCON changes on the cross-directory authentication configuration must be considered and procedures documented. | When incidents occur that require a change in the INFOCON status, it may be necessary to take action to restrict or disable certain types of access that is based on a directory outside the Component’s control. Cross-directory configurations (such as trusts and pass-through authentication) are specifically designed to enable resource access across directories. If conditions indicate that an outside directory is at increased risk of compromise in the immediate or near future, actions to avoid a spread of the effects of the compromise should be taken. A trusted outside directory that is compromised could allow an unauthorized user to access resources in the trusting directory.Information Assurance OfficerVIIR-1, VIIR-2 | ||||
| SV-30989r2_rule | DS00.1120_AD | CCI-000366 | LOW | Each cross-directory authentication configuration must be documented. | AD external, forest, and realm trust configurations are designed to extend resource access to a wider range of users (those in other directories). If specific baseline documentation of authorized AD external, forest, and realm trust configurations is not maintained, it is impossible to determine if the configurations are consistent with the intended security policy.Information Assurance OfficerDCID-1 | ||||
| SV-9030r2_rule | AD.0170 | CCI-000366 | MEDIUM | Access to need-to-know information must be restricted to an authorized community of interest. | Because trust relationships effectively eliminate a level of authentication in the trusting domain or forest, they represent less stringent access control at the domain or forest level in which the resource resides. To mitigate this risk, trust relationships must be documented so that they can be readily verified during periodic inspections designed to validate only approved trusts are configured in AD.Information Assurance OfficerECAN-1 | ||||
| SV-9031r2_rule | AD.0180 | CCI-000366 | HIGH | Interconnections between DoD directory services of different classification levels must use a cross-domain solution that is approved for use with inter-classification trusts. | If a robust cross-domain solution is not used, then it could permit unauthorized access to classified data. To support secure access between resources of different classification levels, the solution must meet discretionary access control requirements. There are currently, no DOD- approved solutions. Further Policy Details: Do not define trust relationships between domains, forests, or realms with resources at different classification levels. The configuration of a trust relationship is one of the steps used to allow users in one AD domain to access resources in another domain, forest, or Kerberos realm. (This check does not apply to trusts with non-DoD organizations since these trusts are examined in a previous check.)Information Assurance OfficerECIC-1 | ||||
| SV-9033r2_rule | AD.0181 | CCI-000366 | HIGH | A controlled interface must have interconnections among DoD information systems operating between DoD and non-DoD systems or networks. | The configuration of an AD trust relationship is one of the steps used to allow users in one domain to access resources in another domain, forest, or Kerberos realm. When a trust is defined between a DoD organization and a non-DoD organization, the security posture of the two organizations might be significantly different. If the non-DoD organization maintained a less secure environment and that environment were compromised, the presence of the AD trust might allow the DoD environment to be compromised also.Information Assurance OfficerECIC-1 | ||||
| SV-9035r3_rule | AD.0190 | CCI-000764 | MEDIUM | Security identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust. | Under some circumstances it is possible for attackers or rogue administrators that have compromised a domain controller in a trusted domain to use the SID history attribute (sIDHistory) to associate SIDs with new user accounts, granting themselves unauthorized rights. To help prevent this type of attack, SID filter quarantining is enabled by default on all external trusts. However, it is possible for an administrator to change this setting or the trust may have been created in an older version of AD. SID filtering causes SID references that do not refer to the directly trusted domain or forest to be removed from inbound access requests in the trusting domain. Without SID filtering, access requests could contain spoofed SIDs, permitting unauthorized access. In cases where access depends on SID history or Universal Groups, failure to enable SID filtering could result in operational problems, including denial of access to authorized users. When the quarantine switch is applied to external or forest trusts, only those SIDs from the single, directly trusted domain are valid. In effect, enabling /quarantine on a trust relationship will break the transitivity of that trust so that only the specific domains on either side of the trust are considered participants in the trust.Information Assurance OfficerECAN-1, ECCD-1, ECCD-2 | ||||
| SV-9037r2_rule | AD.0200 | CCI-000213 | MEDIUM | Selective Authentication must be enabled on the outgoing forest trust. | Outbound AD forest trusts can be configured with the Selective Authentication option. Enabling this option significantly strengthens access control by requiring explicit authorization (through the Allowed to Authenticate permission) on resources in the trusting forest. When Selective Authentication is not enabled, less secure resource access permissions (such as those that specify Authenticated Users) might permit unauthorized access. Further Policy Details: Selective Authentication can be configured with the Domains and Trusts console (domain.msc). It may be necessary to configure the Allowed to Authenticate permission on resources in the trusting domain. Implementation requires configuration of the Allowed to Authenticate permission on resources in the trusting domain for which access is desired. Failure to configure this permission could result in operational problems including denied resource access to authorized users.Information Assurance OfficerECAN-1, ECCD-1, ECCD-2 | ||||
| SV-9044r2_rule | AD.0220 | CCI-000804 | MEDIUM | The Everyone and Anonymous Logon groups must be removed from the Pre-Windows 2000 Compatible Access group. | The Pre-Windows 2000 Compatible Access group was created to allow Windows NT domains to interoperate with AD domains by allowing unauthenticated access to certain AD data. The default permissions on many AD objects are set to allow access to the Pre-Windows 2000 Compatible Access group. Implementation in a Windows forest in which Windows NT domain controllers are still deployed could result in operational problems including denied access to authorized users. When the Everyone or Anonymous Logon groups are members of the Pre-Windows 2000 Compatible Access group, anonymous access to many AD objects is enabled. Anonymous access to AD data could provide valuable account or configuration information to an intruder trying to determine the most effective attack strategies.System AdministratorInformation Assurance OfficerECAN-1, ECCD-1, ECCD-2 | ||||
| SV-9045r2_rule | AD.0240 | CCI-000366 | MEDIUM | The number of member accounts in privileged groups must not be excessive. | Membership in the following Windows security groups assigns a high privilege level for AD functions: Domain Admins, Enterprise Admins, Schema Admins, Group Policy Creator Owners, and Incoming Forest Trust Builders. When a large number of users are members of highly privileged groups, the risk from unintended updates or compromised accounts is significantly increased. A lack of specific baseline documentation on privileged group membership makes it impossible to determine if the assigned accounts are consistent with the intended security policy. Further Policy Details: It is possible to move the highly privileged AD security groups out of the AD Users container. If the Domain Admins, Enterprise Admins, Schema Admins, or Group Policy Creator Owners groups are not in the AD Users container, ask the SA for the new location and use that location for this check.Information Assurance ManagerECLP-1, ECPA-1 | ||||
| SV-31557r2_rule | DS00.3200_AD | CCI-000366 | MEDIUM | Accounts from outside directories that are not part of the same organization or are not subject to the same security policies must be removed from all highly privileged groups. | Membership in certain default directory groups assigns a high privilege level for access to the directory. In AD, membership in the following groups enables high privileges relative to AD and the Windows OS: Domain Admins, Enterprise Admins, Schema Admins, Group Policy Creator Owners, and Incoming Forest Trust Builders. When accounts from an outside directory are members of highly privileged groups in the directory being reviewed, less rigorous security policies or compromises of accounts in the outside directory could increase the risk to the directory where the privileged groups are defined. A compromise to the outside directory would allow unauthorized, privileged access.System AdministratorInformation Assurance OfficerECLP-1, ECPA-1 | ||||
| SV-9048r3_rule | AD.0160 | CCI-000366 | MEDIUM | The domain functional level must be at a Windows Server version still supported by Microsoft. | Domains operating at functional levels below Windows Server versions no longer supported by Microsoft reduce the level of security in the domain and forest as advanced features of the directory are not available. This also prevents the addition of domain controllers to the domain using Windows Server versions prior to the current domain functional level.System AdministratorInformation Assurance OfficerECSC-1 | ||||
| SV-30992r2_rule | DS00.3230_AD | CCI-000366 | MEDIUM | Replication must be enabled and configured to occur at least daily. | Timely replication makes certain that directory service data is consistent across all servers that support the same scope of data for their clients. In AD implementation using AD Sites, domain controllers defined to be in different AD Sites require Site links to specify properties for replication scheduling. If AD Site link schedule and replication interval properties are configured improperly, AD data replication may not occur frequently enough and updates to identification, authentication, or authorization data may not be current on all domain controllers. If this data is not current, access to resources may be incorrectly granted or denied. Further policy details: An AD instance may have no AD site links defined. The following are ways in which site link properties would prevent daily AD replication: 1. Setting the “Replicate every” value to a number greater than 1440 (the number of minutes in one day). 2. Setting the Schedule value for all hours in a day to “Replication Not Available”.System AdministratorInformation Assurance OfficerECAN-1, ECCD-1, ECCD-2 | ||||
| SV-31547r2_rule | DS00.0160_AD | CCI-000366 | MEDIUM | Directory data must be backed up at the required frequency. | Failure to maintain a current backup of directory data could make it difficult or impossible to recover from incidents including hardware failure or malicious corruption. A failure to recover from the loss of directory data used in identification and authentication services (i.e.,, Active Directory) could result in an extended loss of availability. Information Assurance OfficerCODB-1, CODB-2, CODB-3 | ||||
| SV-32179r2_rule | AD.0151 | CCI-000366 | MEDIUM | The Directory Service Restore Mode (DSRM) password must be changed at least annually. | This is a tremendously powerful password which should be changed periodically. This password is unique to each DC and is used to logon to a DC when rebooting into the server recovery mode. With a weak or known password, anyone with local access to the DC can reboot this machine, copy or modify the Active Directory database, and reboot the server without leaving any trace of the activity. Failure to change the DSRM password periodically could allow a compromised resource (maliciously or through personnel turnover) to go undetected for an extended period. Failure to change the DSRM password could allow an unknown (lost) password to go undetected. If not corrected during a periodic review, the problem might surface during an actual recovery operation and delay or prevent the recovery.Information Assurance ManagerIAIA-1, IAIA-2 | ||||
| SV-32180r2_rule | AD.9100 | CCI-000366 | LOW | Security vulnerability reviews of the domain and/or forest in which the domain controller resides must be conducted at least annually. | An AD domain controller is impacted by the AD environment created by the security configuration of the domain and forest in which the domain controller resides. A proper review of the AD environment requires checks at the domain controller, domain, and forest level. If the domain or forest-level checks are not performed at the same time or within a reasonable time frame, the domain controller may be at risk from non-secure settings at those levels.Information Assurance OfficerECSC-1 | ||||
| SV-32648r2_rule | AD.0270 | CCI-000366 | MEDIUM | Read-only Domain Controller (RODC) architecture and configuration must comply with directory services requirements. | The RODC role provides a unidirectional replication method for selected information from your internal network to the DMZ. If not properly configured so that the risk footprint is minimized, the interal domain controller or forest can be compromised. RODC is considered part of the site’s Forest or Domain installation since it is not a standalone product, but rather a role of the the Windows AD DS full installation or Server Core installation. It is possible to have Windows 2003 clients authenticated using RODC, however, compatibility packs are needed. Note that RODC is not authorized for use across the site's perimeter firewall.Information Assurance OfficerECSC-1 | ||||
| SV-47837r2_rule | AD.0001 | CCI-000366 | HIGH | Membership to the Enterprise Admins group must be restricted to accounts used only to manage the Active Directory Forest. | The Enterprise Admins group is a highly privileged group. Personnel who are system administrators must log on to Active Directory systems only using accounts with the level of authority necessary. Only system administrator accounts used exclusively to manage the Active Directory Forest may be members of the Enterprise Admins group. A separation of administrator responsibilities helps mitigate the risk of privilege escalation resulting from credential theft attacks.ECPA-1 | ||||
| SV-47838r2_rule | AD.0002 | CCI-000366 | HIGH | Membership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers. | The Domain Admins group is a highly privileged group. Personnel who are system administrators must log on to Active Directory systems only using accounts with the level of authority necessary. Only system administrator accounts used exclusively to manage an Active Directory domain and domain controllers may be members of the Domain Admins group. A separation of administrator responsibilities helps mitigate the risk of privilege escalation resulting from credential theft attacks.ECPA-1 | ||||
| SV-47839r2_rule | AD.0003 | CCI-000366 | MEDIUM | Administrators must have separate accounts specifically for managing domain member servers. | Personnel who are system administrators must log on to domain systems only using accounts with the minimum level of authority necessary. Only system administrator accounts used exclusively to manage domain member servers may be members of an administrator group for domain member servers. A separation of administrator responsibilities helps mitigate the risk of privilege escalation resulting from credential theft attacks.ECPA-1 | ||||
| SV-47840r2_rule | AD.0004 | CCI-000366 | MEDIUM | Administrators must have separate accounts specifically for managing domain workstations. | Personnel who are system administrators must log on to domain systems only using accounts with the minimum level of authority necessary. Only system administrator accounts used exclusively to manage domain workstations may be members of an administrators group for domain workstations. A separation of administrator responsibilities helps mitigate the risk of privilege escalation resulting from credential theft attacks.ECPA-1 | ||||
| SV-47841r2_rule | AD.0005 | CCI-000366 | HIGH | Delegation of privileged accounts must be prohibited. | Privileged accounts such as those belonging to any of the administrator groups must not be trusted for delegation. Allowing privileged accounts to be trusted for delegation provides a means for privilege escalation from a compromised system.ECLP-1 | ||||
| SV-47842r4_rule | AD.MP.0001 | CCI-001082 | MEDIUM | Only systems dedicated for the sole purpose of managing Active Directory must be used to manage Active Directory remotely. | Only domain systems used exclusively to manage Active Directory (referred to as AD admin platforms) must be used to manage Active Directory remotely. Dedicating domain systems to be used solely for managing Active Directory will aid in protecting privileged domain accounts from being compromised. This includes the management of Active Directory itself and the Domain Controllers (DCs) that run Active Directory, including such activities as domain level user and computer management, administering trusts, replication, schema changes, site topology, domain-wide group policy, the addition of new DCs, DC software installation, and DC backups and restore operations. Some maintenance activities may be delegated and do not require the use of an AD admin platform. These include non-domain level activities such as user and computer management as well as group policy maintenance in site defined organizational units. Accounts that have been delegated these activities must not be members of Domain or Enterprise Admin groups. These activities may still be performed with the use of an AD admin platform for the additional protections they provide.ECSC-1 | ||||
| SV-47843r2_rule | AD.0007 | CCI-001084 | MEDIUM | Dedicated systems used for managing Active Directory remotely must be blocked from Internet Access. | A system used to manage Active Directory provides access to highly privileged areas of a domain. Such a system with Internet access may be exposed to numerous attacks and compromise the domain. Restricting Internet access for dedicated systems used to manage Active Directory will aid in protecting privileged domain accounts from being compromised.ECSC-1 | ||||
| SV-47844r2_rule | AD.0008 | CCI-001941 | MEDIUM | Local administrator accounts on domain systems must not share the same password. | Local administrator accounts on domain systems must use unique passwords. In the event a domain system is compromised, sharing the same password for local administrator accounts on domain systems will allow an attacker to move laterally and compromise multiple domain systems.ECSC-1 | ||||
| SV-56469r2_rule | AD.0009 | CCI-000366 | MEDIUM | Separate smart cards must be used for Enterprise Admin (EA) and Domain Admin (DA) accounts from smart cards used for other accounts. | A separate smart card for Enterprise Admin and Domain Admin accounts eliminates the automatic exposure of the private keys for the EA/DA accounts to less secure user platforms when the other accounts are used. Having different certificates on one card does not provide the necessary separation. The same smart card may be used by an administrator for both EA and DA accounts. IAIA-1 | ||||
| SV-56470r2_rule | AD.0010 | CCI-000199 | MEDIUM | Enterprise Admin (EA) and Domain Admin (DA) accounts that require smart cards must have the setting Smart card is required for interactive logon disabled and re-enabled at least every 60 days. | When a smart card is required for a domain account, a long password, unknown to the user, is generated. This password and associated NT hash are not changed as are accounts with passwords controlled by the maximum password age. Disabling and re-enabling the "Smart card is required for interactive logon" replaces the NT hash of the account with a newly randomized hash. Otherwise, the existing NT hash could be re-used for Pass-the-Hash in the future.IAIA-1 | ||||
| SV-56471r2_rule | AD.0011 | CCI-000199 | MEDIUM | Administrative accounts for critical servers, that require smart cards, must have the setting Smart card is required for interactive logon disabled and re-enabled at least every 60 days. | When a smart card is required for a domain account, a long password, unknown to the user, is generated. This password and associated NT hash are not changed as are accounts with passwords controlled by the maximum password age. Disabling and re-enabling the "Smart card is required for interactive logon" replaces the NT hash of the account with a newly randomized hash. Otherwise, the existing NT hash could be re-used for Pass-the-Hash in the future. Critical servers are any servers that provide functions that would significantly degrade mission effectiveness if disrupted, altered, or leaked. Examples include email, collaboration (e.g., SharePoint), virtualization, configuration management, file sharing, and backup servers. IAIA-1 | ||||
| SV-56472r2_rule | AD.0012 | CCI-000199 | MEDIUM | Other important accounts (VIPS and other administrators) that require smart cards must have the setting Smart card is required for interactive logon disabled and re-enabled at least every 60 days. | When a smart card is required for a domain account, a long password, unknown to the user, is generated. This password and associated NT hash are not changed as are accounts with passwords controlled by the maximum password age. Disabling and re-enabling the "Smart card is required for interactive logon" replaces the NT hash of the account with a newly randomized hash. Otherwise, the existing NT hash could be re-used for Pass-the-Hash in the future.IAIA-1 | ||||
| SV-56473r2_rule | AD.0013 | CCI-000366 | MEDIUM | Separate domain accounts must be used to manage public facing servers from any domain accounts used to manage internal servers. | Public facing servers should be in DMZs with separate Active Directory forests. If, because of operational necessity, this is not possible, lateral movement from these servers must be mitigated within the forest. Having different domain accounts for administering domain joined public facing servers, from domain accounts used on internal servers, protects against an attacker’s lateral movement from a compromised public facing server.IAIA-1 | ||||
| SV-56531r2_rule | AD.MP.0002 | CCI-000366 | MEDIUM | Systems used to manage Active Directory (AD admin platforms) must be Windows 7, Windows Server 2008 R2, or later versions of Windows. | AD admin platforms are used for highly privileged activities. The later versions of Windows offer significant security improvements over earlier versions of Windows. Windows 8.1 and Windows Server 2012 R2, or later, are preferred as they offer even better credential protections.ECSC-1 | ||||
| SV-56532r2_rule | AD.MP.0003 | CCI-000366 | MEDIUM | Separate domain administrative accounts must be used to manage AD admin platforms from any domain accounts used on, or used to manage, non-AD admin platforms. | AD admin platforms are used for highly privileged activities. The accounts that have administrative privileges on AD admin platforms must not be used on or used to manage any non-AD admin platforms. Otherwise, there would be a clear path for privilege escalation to EA/DA privileges. Where practicable, dedicated domain accounts that are used to manage AD admin platforms should be utilized, but otherwise Enterprise Admin (EA)/Domain Admin (DA) accounts may be used to manage AD admin platforms.ECPA-1 | ||||
| SV-56533r2_rule | AD.AU.0001 | CCI-000366 | MEDIUM | Usage of administrative accounts must be monitored for suspicious and anomalous activity. | Monitoring the usage of administrative accounts can alert on suspicious behavior and anomalous account usage that would be indicative of potential malicious credential reuse.ECAT-1 | ||||
| SV-56534r2_rule | AD.AU.0002 | CCI-000366 | MEDIUM | Systems must be monitored for attempts to use local accounts to log on remotely from other systems. | Monitoring for the use of local accounts to log on remotely from other systems may indicate attempted lateral movement in a Pass-the-Hash attack.ECAT-1 | ||||
| SV-56535r2_rule | AD.AU.0003 | CCI-000366 | MEDIUM | Systems must be monitored for remote desktop logons. | Remote Desktop activity for administration should be limited to specific administrators, and from limited management workstations. Monitoring for any Remote Desktop logins outside of expected activity can alert on suspicious behavior and anomalous account usage that could be indicative of potential malicious credential reuse.ECAT-1 | ||||
| SV-56888r2_rule | AD.MP.0004 | CCI-001084 | MEDIUM | Communications from AD admin platforms must be blocked, except with the domain controllers being managed. | AD admin platforms are used for highly privileged activities. Preventing communications to and from AD admin platforms, except with the domain controllers being managed, protects against an attacker's lateral movement from a compromised platform. Requirements in Firewall and Windows client STIGs restrict inbound communications, however outbound communications must be restricted as well to prevent inadvertent exposure of the privileged credentials used on these platforms.ECSC-1 | ||||
| SV-56889r2_rule | AD.0014 | CCI-000199 | MEDIUM | Windows service \ application accounts with administrative privileges and manually managed passwords, must have passwords changed at least every 60 days. | NT hashes of passwords for accounts that are not changed regularly are susceptible to reuse by attackers using Pass-the-Hash. Windows service \ application account passwords are not typically changed for longer periods of time to ensure availability of the applications. If a service \ application also has administrative privileges it will provide elevated access if compromised.IAIA-1 | ||||
| SV-67945r1_rule | AD.0015 | CCI-000366 | MEDIUM | Domain controllers must be blocked from Internet access. | Domain controllers provide access to highly privileged areas of a domain. Such systems with Internet access may be exposed to numerous attacks and compromise the domain. Restricting Internet access for domain controllers will aid in protecting these privileged areas from being compromised.ECSC-1 | ||||